Foundations of Network and Computer Security

Transcription

1 Foundations of Network and Computer Security John Black Lecture #21 Nov 9 th 2004 CSCI 6268/TLEN 5831, Fall 2004

2 Announcements Quiz #3 Returned today Proj #2 Due week from Thurs Proj #3 Still time, but get started Tricky in parts Use of class mailing lists Good!

3 Format String Vulnerabilities Example: output(char *p) { printf(p); } Seems harmless: prints whatever string is handed to it But if string is user-supplied, strange things can happen Consider what happens if formatting chacters are included Ex: p = %s

4 Format Strings (cont) Let s play with format strings: AAAAAAA%08x%08x%08x%08x Prints values from the stack (expecting parameters) Top of stack sfp Saved Frame Pointer 4 bytes printf called ret Return address to caller 4 bytes p Ptr to format string 4 bytes values from here are printed Format string AAAAAAAA%08x%08x%08x%08x

5 Example Output Continuing with AAAAAAA%08x%08x%08x%08x AAAAAAAA012f2f1580ff000010ff202018ae1414 So the above values were on the stack how can we exploit this? We can keep printing stack values until we run into the format string itself might lead to something interesting AAAAAAA%08x%08x%08x%08x%08x%08x%08x%08x%08 x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%0 8x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x% 08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x Output: AAAAAAAA12f2f1580f

6 Printing Data from (almost) Anywhere in Memory As we saw, %s interprets stack value as a pointer, not an int Suppose we would like to read from address 0x77f7f570 Note: we can t have any 00 bytes in the address since we are about to embed it in a string Use format string AAAA\x70\xf5\xf7\x77%08x%08x %08x_%s_ Note we re assuming little-endian here Output AAAApJ^0012ff800cccc ccc _&h2!$*\&_ Note that string will terminate at first 0 byte encountered (and segfault if you go off the end of valid memory)

7 Picture of Stack Kind of confusing: As printf reads the format string, it s reading down the stack for its arguments as well When printf gets to the %s, the arg ptr is pointing at \x70\xf5\xf7\x77, so we print the contents of that addr Top of stack printf called sfp ret Saved Frame Pointer Return address to caller 4 bytes 4 bytes values from here are printed p Ptr to format string bytes Format string AAAA\x70\xf5\xf7\x77%08x%08x %08x_%s_

8 But Can We Alter the Stack Contents? Introducing the %n token This one is obscure: nothing is printed but the number of chars printed thus far is stored at the address indicated by the corresponding parameter to %n Ex: printf( hi%n there, &i); now i = 2 How can we use this ability to write to memory? Consider AAAA\x70\xf5\xf7\x77%08x%08x %08%n Writes 0x (= 356) to address 0x77f7f570

9 Using %n Extending this, we can write any value of our choice to (almost) any address AAAA\x70\xf5\xf7\x77\x71\xf5\xf7\x77\x72\xf5\xf7\x7 7\x73\xf5\xf7\x77%08x%08x %08x%n%n%n%n Writes 0x four times, so at address 0x77f7f570 we will see 0x But how do we get values of our choice to address 0x77f7f570 instead of this 0x thing? Let s use the %##u token (or any other that takes a length specifier)

10 Writing Arbitrary Values We use the width specifier to add any number of bytes we like to the current number of printed chars count To write 0xfff09064 we use AAAA\x70\xf5\xf7\x77\x71\xf5\xf7\x77\x72\xf5\xf7\x 77\x73\xf5\xf7\x77%08x%08x %08x%n%43u%n%9 6%n%15u%n This works fine if we are wanting to write everincreasing byte values How can we write 0xf0ff9064? How might we write to address 0x400014a0?

11 Detecting Format String Vulnerabilities Not as hard to detect as buffer overflows (which can be very subtle) One method is to look for calls to printf, sprintf, snprintf, fprintf, etc. and examine the stack clean up code Recall that after a function call returns, it must remove its parameters from the stack by adding the sum of their sizes to esp If we see add $4, %esp, we flag a possible vulnerability

12 Heap Overflows These are among the hardest to exploit and depend on minute OS and compiler details Some hackers consider writing a heap overflow as a rite of passage We will only sketch how they work; a detailed example would take too long This is the last software vulnerability we ll talk about in this class, but there are MANY more

13 What is the Heap? The area of data which grows toward the stack malloc() and new use this memory area for dynamic structures Unlike the stack, we do not linearly grow and shrink the heap We allocated and deallocate blocks in any order We have to worry about marking the size of blocks, blending adjacent deallocated chunks for re-use, etc. Many algorithms (with various tradeoffs) exist so this attack will depend on the specifics of those algorithms

14 The Heap (Layout) HEADER HEAP BUFFER HEADER HEAP BUFFER HEADER HEAP BUFFER Size of Block/8 Flags Size of Prev Block/8 Windows 2K Heap Header Higher Memory

15 How to Exploit a Heap Overflow Details vary, but in one case: free() takes a value from the header and writes to an address also taken from the header If we can overflow the buffer just before this header, we can control both the address used and the value written to that address This address could be a return address on the stack, and we know the rest of the story

16 Other Vulnerabilities We have been discussing a range of common and generic vulnerabilities There are lots more which are more application-specific We couldn t possibly hope to cover them all Let s look at a couple of examples

17 Password Checking and Page Faults Some older OS worked like this: Password was checked character-bycharacter by a high-privilege program If password mismatch occurred, program stopped checking at that point Page faults were viewable by all Idea: Put candidate password on disk which is known not to be in memory, and watch page faults

18 Page Fault Technique (cont) Idea: place candidate password across page boundary on disk If we page fault to get second page, the password-checking program must have matched correctly up to all characters before the boundary If we don t page fault, keep trying last letter before boundary Each time we get a character correct, shift left and continue until we get the whole password Actual Password (protected memory) xyzzy Candidate Password (on disk) xy qr7a Page fault occurs Page boundary

19 Password Crackers Unix approach: store one-way hash of password in a public file Since hash is one-way, there is no risk in showing the digest, right? This assumes there are enough inputs to make exhaustive search impossible (recall IP example from the midterm) There are enough 10-char passwords, but they are NOT equally likely to be used HelloThere is more likely than H7%$$a3#.4 because we re human

20 Password Crackers (cont) Idea is simple: try hashing all common words and scan for matching digest Original Unix algorithm for hash is to iterate DES 25 times using the password to derive the DES key DES 25 (pass, 0 64 ) = digest Note: this was proved secure by noticing that this is the CBCMAC of (0 64 ) 25 under key pass and then appealing to known CBCMAC results Why is DES iterated so many times?

21 Password Crackers (cont) Note: Actually uses a variant of DES to defeat hardware-based approaches Note: Modern implementations often use md5 instead of this DES-based hash But we can still launch a dictionary attack Take large list of words, names, birthdays, and variants and hash them If your password is in this list, it will be cracked

22 Password Crackers: example word alabaster albacore alkaline wont4get digest &trh23gfhad Hj68aan4%41 7%^^1j2labdGH Pasword file /etc/passwd jones:72hadgkhha% jackl:uwuhwuhf12132^ taylor:hj68aan4%41 bradt:&sdf29jhabdjajk22 wirth:8w92h28fh*(hh98h rivest:&shsdg&&hsgdgh2

23 Making Things Harder: Salt In reality, Unix systems always add a twocharacter salt before hashing your password There are 4096 possible salts One is randomly chosen, appended to your password, then the whole thing is hashed Password file contains the digest and the salt (in the clear) This prevents attacking all passwords in /etc/passwd in parallel

24 Password Crackers: with Salt Table for Salt Value: A6 word alabaster albacore alkaline digest &trh23gfhad Pasword file /etc/passwd jones:72hadgkhha%h7 jackl:uwuhwuhf12132^a$ no match taylor:hj68aan4%41y$ bradt:&sdf29jhabdjajk22ja wont4get 7%^^1j2labdGH wirth:8w92h28fh*(hh98h1& rivest:&shsdg&&hsgdgh2*1

25 Fighting the Salt: 4096 Tables Crackers build 4096 tables, one for each salt value Build massive databases, on-line, for each salt 100 s of GB was a lot of storage a few years ago, but not any longer! Indexed for fast look-up Most any common password is found quickly by such a program Used by miscreants, but also by sysadmins to find weak passwords on their system

26 Getting the /etc/passwd File Public file, but only if you have an acct There have been tricks for remotely fetching the /etc/passwd file using ftp and other vulnerabilities Often this is all an attacker is after Very likely to find weak passwords and get on the machine Of course if you are a local user, no problem Removing the /etc/passwd from global view creates too many problems

27 Shadowed Passwords One common approach is to put just the password digests into /etc/shadow /etc/passwd still has username, userid, groupid, home dir, shell, etc., but the digests are missing /etc/shadow has only the username and digests (and a couple of other things) /etc/shadow is readable and writeable for root only Makes it a bit harder to get a hold of Breaks some software (including the buggy web server) which wants to authenticate users with their passwords One might argue that non-root software shouldn t be asking for user passwords anyhow

28 Last Example: Ingres Authorization Ingres, 1990 Strings 2 nd largest database company behind Oracle Authorization Strings Encoded what products and privileges the user had purchased Easier to maintain this way: ship entire product Easier to sell upgrades: just change the string Documentation guys Needed an example auth string for the manual

29 Moral There s no defending against stupidity Social engineering is almost always the easiest way to break in Doesn t work on savvy types or sys admins, but VERY effective on the common user I can almost guarantee I could get the password of most CU students easily Hi this is Jack Stevens from ITS and we need to change your password for security reasons; can you give me your current password?

30 Social Engineering: Phishing Sending authentic looking saying need you to confirm your PayPal account information looks authentic URL is often disguised Rolling over the link might even pop-up a valid URL in a yellow box! Clicking takes you to attacker s site, however This site wants your login info

31 Disguising URLs URI spec is supposed to send you to Can be used to disguise a URL: SECURITYCHECKw8grHGAkdj>jd7788<Account Maintenace s5982ut-aw-ebayconfirm-secure howf8shfMHHIUBd889yK@ Notice feel-good words Length of URI exceeds width of browser, so you may not see the end could be hex encoded for more deception

32 Disguising URL s (cont) This no longer works on IE Still works on Mozilla In IE 5.x and older, there was another trick where you could get the toolbar and URL window to show even though you had been sent to a different site Very scary Moral: don t click on links; type in URL manually